After letting wfuzz run for a few seconds, it became apparent that we were getting the 200 response code for URLs that were nonexistent:

![](wfuzz1.png) 

![](notfound.png)

Or the subdomain just linked right back to the front page of the website:

![](ftp.png)

So in order to filter out the subdomains that didn't seem to lead anywhere, I filtered the output to exclude responses with 3880 characters using the **--hh** keyword since this seemed to be the common character length

> If I could, I would've filtered anything above 3880 as well since this was also a common char length of the responses that didn't matter

Unfortunately, we still have a lot of junk subdomains to filter out, but since these all these responses seem to be above 3k character length, we just have to find the one that stands out:

![](wfuzz2.png)

And the winner is dev! With only 934 length, it made me investigate:

![](dev.png)
Boom! We've got a password for andre@cmess.thm!

My first thought was uploading a shell and after a bit of googling, I found [this](https://rastating.github.io/gila-cms-upload-filter-bypass-and-rce]), the article mentions that it's a filter bypass and the .htaccess file the author is 
dealing with, contains the following:

```
<Files *.php>
deny from all
</Files>
```

Which basically means to deny the upload of any php files.

But lucky for us, ours doesn't deny php file uploads, here's our .htaccess file:

![](ht.png)

Now we need to find a directory we can access in order to execute our own code, the first one I tried was assets and I could access it, so this is where we will be uploading our reverse shell

##### NOTE: The reverse shell used is from dir /usr/share/laudanum/php on kali

Now we're able to grab the user flag:

![](user.png)

After running linpeas, we see that there is the following command ran in order to generate a user's backup: `tar -zcf *`. Before doing this box, I didn't realize this was a thing, but after reading a writeup, I discovered that using tar and a wildcard (which means it's archiving everything in a directory that's what the wildcard does) can be subject to injection of our own code, 

![](cron.png)

So, since this cronjob is being ran by root and archiving everything in the backup directory, our injected code will be ran by root!

Now, we create our reverse shell and put it on the victim's machine, then we run some other commands which I'll do my best to explain, but I highly recommended reading [this](https://www.hackingarticles.in/linux-privilege-escalation-by-exploiting-cron-jobs/) as it explains it a lot better than I could.

![](dir.png)

Here, we are echo'ing our reverse shell to a file, then we are basically saying that once tar gets to archiving shell.sh, execute it using bash. The reverse shell used was a simple netcat shell found in the article article above. 

![](nc.png)

And after waiting for 2 minutes, we've rooted the box!
